Multi-chain wallet management, deterministic key derivation, and in-process transaction signing — one seed phrase, every chain.
Single BIP-39 mnemonic derives wallets on Solana, Ethereum, XRP, and more
Sign transactions without CLI shell-out — no race conditions
Solana, Ethereum, Base, Bitcoin, Cosmos, Tron, TON, Sui
Same seed + wallet name = same address. Always. Reproducible across machines.
Private keys derived on-demand in memory, never persisted
Not locked to any wallet provider — portable across frameworks
Each agent gets a unique wallet derived from the master seed + its name. "data-miner" on Solana always yields the same address.
All SOL transfers and receipt anchoring use signTransaction() for in-process ed25519 signatures.
Wallet addresses serve as unique agent IDs. Deterministic derivation means identity is portable across deployments.
One seed phrase creates unique wallets per agent per chain. 3 agents × 8 chains = 24 wallets from one seed.
signTransaction("data-miner", "solana", hex)
Private keys derived on-demand in process memory. Never written to disk, never passed via CLI args.
OWS sign → ed25519 signature → broadcast
Same agent has consistent identity across Solana, Ethereum, and XRP. Wallet address is the universal ID.
data-miner: SOL + ETH + XRP addresses
Deterministic derivation means you can reproduce any agent's wallet on any machine with the seed.
seed + name → same wallet everywhere
WALLET_SEED (BIP-39 Mnemonic — 12 or 24 words)
│
▼
OWS Key Derivation Engine
│
├── "data-miner" + "solana" → ed25519 keypair → 2G55Sds...YCcq
├── "data-miner" + "ethereum" → secp256k1 keypair → 0x1234...
├── "analyst" + "solana" → ed25519 keypair → CePyeK...eSkL
├── "analyst" + "ethereum" → secp256k1 keypair → 0x5678...
└── "research-buyer" + "solana"→ ed25519 keypair → 9LK89M...Y22A
Same seed + same name + same chain = same wallet. Always.import { signTransaction } from "@open-wallet-standard/core";
// Build your transaction (e.g., Solana SystemProgram.transfer)
const messageBytes = transaction.serializeMessage();
const messageHex = Buffer.from(messageBytes).toString("hex");
// Sign in-process — key derived from seed, never touches disk
const result = signTransaction(
"data-miner", // wallet name
"solana", // chain
messageHex // serialized transaction as hex
);
// Add signature to transaction
const signatureBytes = Buffer.from(result.signature, "hex");
transaction.addSignature(fromPubkey, signatureBytes);
// Broadcast the fully-signed transaction
const txHash = await connection.sendRawTransaction(transaction.serialize());OWS uses deterministic key derivation: seed + wallet name + chain = keypair. The same inputs always produce the same output.
// Same seed, different agents → different wallets:
"data-miner" on Solana → 2G55SdspdgSLcrXm3ZcfSHuDhvuhXtQLWqf1zVbAYCcq
"analyst" on Solana → CePyeKXCtB6RzAatosDnnun3yryUzETKXA5rNEjPeSkL
"research-buyer" on Solana → 9LK89Mk3xQP3qf3bJjxW8Qe9HoiPer4EisY5tUoPY22A
// Same seed, same agent, different chain → different wallet:
"data-miner" on Solana → 2G55Sds... (ed25519)
"data-miner" on Ethereum → 0x1a2b3c... (secp256k1)
// Deploy on a new machine with the same seed → identical wallets| Chain | Key Type | Status |
|---|---|---|
| Solana | ed25519 | Active |
| Ethereum | secp256k1 | Active |
| Base | secp256k1 | Active |
| Bitcoin | secp256k1 | Planned |
| Cosmos | secp256k1 | Planned |
| Tron | secp256k1 | Planned |
| TON | ed25519 | Planned |
| Sui | ed25519 | Planned |
x402 Gate responds with 402 status + payment details (price, token, chain, recipient).
SystemProgram.transfer with amount in lamports, from agent to recipient.
Transaction message serialized to bytes, converted to hex string.
signTransaction() derives the key from seed + wallet name, produces ed25519 signature.
Raw signature bytes added to the Transaction object.
Signed transaction sent via sendRawTransaction, then confirmed.
SHA-256 receipt hash written to Solana Memo program as immutable proof.
Private keys are derived on-demand in process memory and discarded after signing.
No IPC, no CLI shell-out. Sign and broadcast happen atomically in the same process.
Previous approach: CLI sign → delayed broadcast → expired blockhash. OWS: sign → broadcast instantly.
The BIP-39 seed phrase is the only secret. Protect it, and all agent wallets are secure.
CRITICAL: Never commit WALLET_SEED
Store it in .env (gitignored) or a secrets manager. Anyone with the seed can derive all agent wallets and sign transactions.
# BIP-39 mnemonic phrase (12 or 24 words)
WALLET_SEED="your twelve word mnemonic phrase goes here for wallet derivation"
# Generate a new seed:
# npx @open-wallet-standard/cli initnpm install @open-wallet-standard/coreIf you deploy agents on multiple machines with the same WALLET_SEED, they'll derive identical wallet addresses. This is by design — deterministic key derivation makes agent identity portable.
Wallet Infrastructure
Multi-chain agent identity system — one seed, portable identity across all chains
Security Track
Zero-knowledge agent wallet management with on-demand key derivation
Agent Framework
Pluggable wallet backend for any agent framework (LangChain, CrewAI, AutoGPT)
Enterprise
HSM-backed OWS for institutional agent deployments with audit trails
| Function | Parameters | Returns |
|---|---|---|
| signTransaction | walletName, chain, messageHex | {signature: string} |